Fraudsters Impersonate Clop Ransomware to Extort Businesses

Fraudsters have been observed impersonating the Clop ransomware gang to extort businesses, researcher from Barracuda Networks have found.

The incident is part of a trend of scammers impersonating high-profile ransomware actors and claiming to have exfiltrated sensitive data in order to extort payments from targets.

In the extortion email, the attackers claimed to have exploited a vulnerability in managed file transfer firm Cleo, enabling them to secure unauthorized access to the victim company’s network.

They said this allowed them to download and exfiltrate data from the servers.

The threat actors included a link to a media blogpost which reported that Clop had stolen data from 66 Cleo customers using this approach, in order to add authenticity to their claims.

The exploitation of vulnerabilities in managed file transfer software has been a common tactic used by Clop to target victims on mass.

In the fake email, the victim was told that unless they made payment, the stolen information would be published on Clop’s “Blog.”

A series of contact email addresses were provided, with the victims urged to get in touch.

The Barracuda researchers said the email had all the hallmarks of a scam, as it misses elements associated with genuine Clop extortion demands.

“If the email features elements such as a 48-hour payment deadline, links to a secure chat channel for ransom payment negotiations, and partial names of companies whose data was breached, then you are likely dealing with actual Clop ransomware, and you need to take immediate steps to mitigate the incident,” they wrote.

If these elements are missing, it is likely you are being scammed, the researchers added.

The fake Clop extortion emails are likely to reference media coverage about actual Clop ransomware attacks to try and appear legitimate.

The findings come shortly after GuidePoint Security and the FBI revealed fraudsters are sending businesses extortion letters purporting to be from the BianLian ransomware group.

In it, the sender claims to have compromised the recipient’s corporate network and stolen sensitive data, mimicking the threats of a genuine ransomware ransom note.

Phishing Attacks Evading Detection

Barracuda’s March Email Threat Radar report also identified phishing activity using techniques designed to evade traditional security defenses over the past month.

This includes the LogoKit phishing-as-a-service platform distributing malicious emails claiming to be about urgent password resets.

LogoKit has been active since 2022 and is capable of real-time interaction with victims. This means that attackers can adapt their phishing pages dynamically as the victim types in their credentials, making the website appear more legitimate.

The platform can also integrate with popular messaging services, social media and email platforms to distribute its phishing messages. This versality makes the activity difficult to detect.

In the latest phishing activity involving LogoKit, threat actors distributed authentic-looking emails with the headers of “Password Reset Requested” or “Immediate Account Action Required.”

They are designed to encourage the recipient to quickly click on the link to resolve the supposed issue. Instead, they are sent to a dynamically created phishing page hosted by LogoKit, designed to look identical to the login portal and password reset page of the service the victim believes they are connecting to.

The victim is prompted to enter their login credentials, which are then captured by the attacker.

Barracuda also reported a continued rise in the use of Scalable Vector Graphics (SVG) attachments in phishing attacks.

SVGs contain Extensible Markup Language (XML)-like text instructions to draw resizable, vector-based images on a computer.

These files are becoming a popular method for delivering malicious payloads due to their ability to contain embedded scripts, which don’t look suspicious to security tools.